1 files changed, 0 insertions, 66 deletions

diff --git a/labsrv01/secureboot.nix b/labsrv01/secureboot.nix
deleted file mode 100644
index 29bff21..0000000
--- a/labsrv01/secureboot.nix
+++ /dev/null
@@ -1,66 +0,0 @@
-{
-  inputs,
-  lib,
-  pkgs,
-  config,
-  ...
-}:
-let
-  sb-do-enroll-keys = pkgs.writeShellApplication {
-    name = "sb-do-enroll-keys";
-    text = ''
-      set -ex;
-      ${pkgs.sbctl}/bin/sbctl enroll-keys
-    '';
-  };
-  sb-do-enroll-tpm = pkgs.writeShellApplication {
-    name = "sb-do-enroll-tpm";
-    runtimeInputs = [ pkgs.tpm2-tss ];
-    text = ''
-      set -ex;
-      LUKS_DEVICE="${config.disko.devices.disk.nvme0n1.content.partitions.luks.device}"
-      ${pkgs.systemd}/bin/systemd-cryptenroll --wipe-slot=tpm2 --tpm2-device=auto --tpm2-pcrs=0+7 "''${LUKS_DEVICE}"
-    '';
-  };
-in
-{
-  imports = [
-    inputs.lanzaboote.nixosModules.lanzaboote
-  ];
-
-  environment.systemPackages = [
-    pkgs.sbctl
-    sb-do-enroll-keys
-    sb-do-enroll-tpm
-  ];
-
-  # Lanzaboote currently replaces the systemd-boot module.
-  # This setting is usually set to true in configuration.nix
-  # generated at installation time. So we force it to false
-  # for now.
-  boot.loader.systemd-boot.enable = lib.mkForce false;
-  boot.initrd.systemd.enable = true;
-  boot.initrd.systemd.tpm2.enable = true;
-
-  boot.lanzaboote = {
-    enable = true;
-    pkiBundle = "/var/lib/sbctl";
-  };
-
-  # Create and enroll Secure Boot keys on first boot
-  systemd.services.sbctl-setup = {
-    description = "Create and enroll Secure Boot keys";
-    wantedBy = [ "multi-user.target" ];
-    unitConfig.ConditionPathExists = "!/var/lib/sbctl/GUID";
-
-    serviceConfig = {
-      Type = "oneshot";
-      RemainAfterExit = true;
-    };
-
-    script = ''
-      echo "Creating Secure Boot keys..."
-      ${pkgs.sbctl}/bin/sbctl create-keys
-    '';
-  };
-}